Securing Middle America: small towns more at risk of ransomware, phishing and more

Cybersecurity firms may be leaving money on the table chasing big fish in the form of large enterprise deals, while smaller local government entities go unprotected.

While cyberattacks target entities of all sizes in both the public and private sector, small towns can find themselves especially vulnerable as the result of a lack of funds and knowledge. Within the last month, ransomware shut down the operations of a North Carolina water utility company, an Idaho county, and most recently the Indiana National Guard.

These threats could be amplified as the 2018 midterm elections approach.

Untangle Chief Product Officer Dirk Morris said most cybersecurity companies have an enterprise focus and often compete for the same large customers. In addition, the solutions these firms offer are often complex and costly.

“Therefore, the mid-market and below, especially the smallest organizations, are often underserved when it comes to technology solutions that are powerful, yet simple, enough for them to be implemented to be in a cost-effective and maintainable manner,” Morris said.

“However, the needs of these smaller organizations are often more acute since they usually lack in-house expertise, budget and training resources to adequately protect them from threats.”

Thomas MacLellan, director of government affairs at Symantec said these smaller agencies face a resource and business engineering issues as smaller local governments not only have more limited budgets overall but also have more limited budgets per capita as compared to larger metropolitan areas.

“Scale is an important component of implementing effective cybersecurity programs,” MacLellan said. “You need to be able to protect multiple attack vectors simultaneously, and often the lead cybersecurity professional for smaller jurisdictions may simply not have the bandwidth or tools to deploy an effective program.”

MacLellan added that from a business perspective, there aren’t the same mutual aid programs in place that are set in place to help in the event of disasters such as hurricanes, tornadoes, and large-scale man-made events. Fortunately, things are starting to change as states are looking for ways to help local governments purchase the technology off their contracts making them cheaper for locals.

New York State CISO Deborah Snyder Tuesday told a panel at the NCSA and NASDAQ Cybersecurity Summit that every New York State employee gets annual cybersecurity training and that the state tries to work with local governments to help them secure their systems.

Even in these situations Snyder said there can be problems with local governments not accepting the help offered from the state, and many local governments in other states lack the same level of support with many lacking the financial and IT resources to properly secure their systems.

“Local governments generally don’t have the funding required to maintain a large security staff and large set of security tools,” Chris Morales, head of security analytics at Vectra said.

“More often, at best, local governments are leveraging an outsourcing security provider to provide security monitoring with no more than one or two people on the local government security team managing day to day operations.”

In many of these cases the security person is also the same IT person serving multiple roles. MacLellan said that at a bare minimum these IT departments should at least use the NIST Cybersecurity Framework to assess their cyber-readiness to help develop and implement strategic readiness plans.

“They also need to move toward purchasing and managing services more than they currently do, and to look for ways to partner with either states or other jurisdictions,” MacLellan said. “They shouldn’t be building cybersecurity systems so much as strategically managing them.”

States can also look to Federal programs like E-Rate which provides financial support for school and libraries to support stronger cybersecurity initiatives in these areas.

Morales said that in general small businesses and local governments do not see themselves as a target as they assume they do not have the same value to an attacker as a large organization.

“Based on the latest Verizon Data Breach Report, most breaches do occur to small businesses,” Morales said. “The Department of Homeland Security provides a vehicle for providing funding for technology as well as services and training to local security programs to assist in their response effort.

He added that his firm has found success working with state and local governments using these Continuous Diagnostics and Mitigation (CDM) contracts.

Morris said agencies that face the challenges of adequate cybersecurity measures, regulatory compliance and strict budgets should turn to solutions designed for smaller organizations both in terms of cost-effectiveness and ease-of-use as some technology vendors offer discounts to the public sector.

In order for any of this to work, these local entities have to acknowledge that they are at risk. Joseph Carson, chief security scientist at Thycotic said cyber awareness training is the first major step to ensuring all levels of local government are educated and aware of the cyber threats from the leadership all the way down to the secretaries and clerks.

In addition, agencies need to enforce multi-factor authentication for all governments systems including email, use password vaults to improve cyber hygiene, and protected and secure privileged access to sensitive data, applications, devices, and systems. Morales added that it’s also important to use encryption and have secure backups in place for ransomware attacks.

“Unfortunately, everyone assumes they are protected until it is too late,” Carson said. “This is all too common for local governments and organizations that rely on traditional security controls, such as antivirus and firewalls, until they find out that someone clicked on an email that stole an employee’s credentials and bypassed all security controls.”

Morris noted even with the right resources for detection and response in place things could still go wrong if the IT team doesn’t prioritize cybersecurity hygiene, a sin even larger cities often commit.

“With the recent city of Atlanta ransomware outbreak, sources reported that technology administrators were already aware that a computer used for video encoding was infected by WannaCry and petitioned officials to be able to remediate the issue and block ports to prevent it from spreading,” Morris said. “Unfortunately, this scenario is all too common.”

Some local entities are aware they are at risk, but have yet to take proper action. MacLellan said most local governments know they’re exposed, but just don’t know how exposed they are with the only potential upside being cybercriminals just not finding them worth the effort.

“I’ve had a number of local CIOs and CISOs tell me that they’re surprised they haven’t been a victim yet,” MacLellan said. “I once heard the CISO for a large company say that ‘if your CISO is telling you you’re completely protected, you should fire them.’”

MacLellan said the bigger risk these local governments could face could come in the form of attacks motivated by events or issues (think Anonymous), or attackers who are trying to undercut the confidence of a larger system such as an elections system.